Rumi Contractor recently spoke to Metin Mitchell about cyber security in the boardroom  and as a follow up, has written this guest blog on the biggest cyber security risks facing businesses.

I collected this list of cyber security risks, based on some of the reports and trends I read and came across on the Internet. These are risks as they exist today and will continue proliferating at a fast pace, impacting all of us individually and as corporates going forward ….

1) IoT device manufacturers will need to address major threats

The Internet of Things or IoTnternet of Things or IoT refers to the litany of devices that have come online in recent years. Everything from your dishwasher to your coffeemaker is online now—your refrigerator probably has a Twitter account at this point. With all of these devices coming online – and perhaps more importantly, networking with other devices online – it creates a new attack surface that is extremely vulnerable.

Until IoT manufacturers identify authentication risks and establish identity assurance requirements, the threat will ensue. Many organizations are trying their hardest to build Open Platforms to allow manufacturers such as Alexa and others to access other vendor products – I personally am wary of this technology as it exists in its current guise and maturity! As a matter of fact I shy away from using technology which is still very much bleeding edge and not established through industry accepted standards.

jonas leupe 426231 2

2) Mobile payments will come under attack

If you’ve been to a Wallgreens, a Starbucks or any of the other large retailer lately, you know how many people are paying for things on their phones these days.

It seems like everyone – from retailers to technology titans like Apple and Google to banks – are designing NFC (Near Field Communication) and RFID (Radio Frequency Identification) mobile payment platforms these days. The idea is to make us all transact electronically without the need of any physical currencies! The other reason is that as humans we have a tendency to spend more when we are not transacting with physical tokens and currencies, this is a human, psychological issue which the retailers love to exploit in the name of convenience.

As you can imagine, this is an exciting new target for cybercriminals, who are already actively looking for a way to breach these systems and gain access to money and valuable financial details. Think about the Open Banking Platforms and PSD2 standards etc. that are already coming to banks in Europe. This is where regulators are asking banks to open up client accounts to established APIs so that Fintechs can piggyback on banking accounts and the power goes from a bank to the client! Crazy stuff is coming our way …….

3) Ransomware will continue to evolve as a threat

Ransomware is just one part of a larger threat: digital extortion. To date, it is the most effective weapon in the digital extortion tool box. The ability to take over a system and effectively hold it hostage until a financial (aka Ransom) is made is an attractive new business for the cybercriminals and this form of extortion will likely grow substantially from here onwards.

Even with certain strains, such as the CrySiS Ransomware strain having been defeated in 2016, others are already actively taking its place. Watch this space – this is a money making solution and while at the moment the target is unsecured individual PCs, the reality is that this will affect corporations in a big way in the future.

4) Autonomous vehicles and the lack of security standards

Each year more and more automobile manufactures advertise advanced digital systems that they have added to their cars and trucks in order to stay competitive and technically relevant. From promises of ‘hands-free’ driving to providing an in-house internet experience to passengers when they are in their automobiles!

While this is exciting, it also creates a brand new attack vector. Consider for a second just how terrifying it would be if any of your car’s online systems were to come under attack while you’re in transit on a highway—or anywhere really. This is something the automobile manufacturers will need to address quickly.

Worse than this, if a virus were introduced in a car’s digital DNA it could ‘leak’ itself into your mobile phone or tablet – which we also connect to these days while driving in the car!

5) Learning to live and operate in the Cloud

As part of a continuing trend, expect to see a greater number of attacks on cloud-based management platforms, workloads and enterprise Software-as-a-Service (SaaS) applications. This, in turn, will cause the majority of companies and organizations to reassess their security budgets and redistribute a greater portion of it to cloud-based security, which could weaken the level of security on traditional servers and desktops.

The reality is that more and more systems are going to be hosted in the Cloud or Hybrid Environments where some systems will be in your premises, some with AWS, some at Azure and some others with Dell/EMS etc. This means that not only do you have to worry about your environment being secure, you also need to worry about your partner hosting environments also being secure and hacker-proof.

6) Password hygiene @ Client and Server end will be challenging

Major password breaches at established Internet Services organizations such as Twitter and Yahoo should have scared all of us into a greater awareness about our password hygiene. These breaches will continue in 2018++.  At the core of the issue is our human tendency to re-use the same password across multiple accounts. Meaning with just a single compromise, the hacker gains access to passwords across multiple other accounts as well.

The right behaviour for all of us should be to use varied passwords or password sequence, and whenever possible to use two-factor authentication or other biometric recognition technologies. These technologies are becoming more and more mainstream and worth investing in. Using multiple biometrics across all devices by clients and employees can help mitigate this risk but all of this comes at a cost.

7) Social engineering attacks on employees will continue to grow

With companies and organizations across the world spending more and more time on their digital security strategies, cybercriminals have been forced to become increasingly creative in their attacks. We are now entering an era where Social Engineering Attacks are reaching the level of an art form.

Social Engineering is a tactic where cybercriminals attempt to create a believable cover from which to breach a network or to take advantage of a known vulnerability. In this context, it’s usually an email-based phishing attack which impersonates an employee’s co-worker or superior in a believable-enough way to get them to click a link or open an attachment—though it can take other forms as well.

It’s absolutely crucial that all companies and organizations spend time and resources training all their employees on threat detection and how to handle anything suspicious that gets sent their way.

8) Open Source risks

The move to Open Source has been an amazing change in the world of Information Technology over the past 20 years with the early advent of Linux in the late 90s to the myriad number of systems, applications, software development enablers and applications. How does one protect and ensure that code and functionality that is being developed by many of the commercial organizations is not fraught with some time bomb(s) hidden within the code? IT teams in organizations will need to develop new techniques, skills and processes to ensure that this new vulnerability does not destroy their organization in the days, weeks, months and years after the code is released into production.    

9) Commercialized anti-DDoS will emerge

This is a threat with the potential to affect entire countries—not just companies and industries. Recently, we’ve seen DDoS (Distributed Denial of Service) attacks in excess of 100’s of GB. This is a staggering amount of power on the part of the attacker. These attacks can take entire server farms down for as long as they continue to be executed, and put companies and organizations at the mercy of their attackers.

It’s only a matter of time before a start-up is formed in a largely unregulated country that can directly attack or patch botnet systems. This will mark a new chapter in the history of cyber warfare as it will give lesser developed countries access to a powerful weapon while forcing entire nations to reckon with the threat.

10) The attack of the Bots

The future looks amazing with the advancement in technology and programming languages. There is an opportunity truly to turn many of the science fiction and Hollywood imaginations into realities.

Humans can handle exception processing and reasoning better than machines can ever do. However, machines can handle repetitive processes which are voluminous much better than humans can ever do. And the one place where ‘software robots’ can truly make a difference for the better is in handling repetitive client requests and manual processing AND unfortunately this strength is also going to be aimed at bombarding networks and millions of servers and routers in the ever expanding world of connected devices. This means that going forward the amount of DDoS  attacks will multiply at an alarming rate – and ‘HW based software patching’ will continue to pose a big challenge for the large hosting organizations, as they try to manage the growing number of devices and automatic software updates. The Attack of the Bots is coming at a theatre near you – shortly.

Published in Cyber security

Rumi Contractor is President & COO @ Quinnox Inc., a technology-driven services organization for businesses. Here Metin Mitchell interviews the former CIO and Group General Manager for HSBC  on the security risks facing corporates and how boards, in particular, should respond.

Metin Mitchell (MM): What are the cyber security threats facing businesses and how well are boards managing these risks?

Rumi Contractor (RC): Cyber security has become a hot potato in recent times with more and more high profile cases emerging – just this week we heard Uber paid off hackers who stole the personal details of 57 million riders last year. However, the reality is that most board rooms do not really grasp the high stakes they are risking each and every day - as the trustees of companies and businesses they are required to help protect as well as manage and grow those businesses.

MM: I recently chaired a panel for CFO Strategies Forum and the role of CFOs in automation. What should boardrooms be doing to address cyber risks?

The world is becoming more and more connected and this trend is only going to keep getting bigger and more complex. The more connected systems become, the more breakpoints – these are opportunities to ‘hack’ or ‘leak’ in the fabric of an organization. I do not claim to be an IT security expert but I understand the risks that are out there and I understand how they can happen and I also know the possible ways to breach those gaps. This experience is not easy to come by for most boards. I have always believed that boards need to stop hiring and using the CIO has a technical fixer and more as an expert who has an ability to translate business goals and needs into technical strategies and blueprints WHILE taking technical issues and translating them into business speak and plans.

MM: What are the main cyber security risks for corporates?

RC: At the end of the day, a security breach which causes real damage involves ‘stealing data’ or ‘manipulating data’ or ‘denying access to YOUR data’. That’s the crux of what really happens in a cyber-breach.

MM: Can you give me some examples of these security breaches?

RC: The first is when someone tries to get into your systems from the outside. These could be hackers trying to bombard your networks and find a vulnerability to get access to your servers, computers, networks and databases.  Usually they get into YOUR environment through a loophole that they have managed to identify from a vendor related weakness – say, because your team did not ‘harden’ the peripherals in your IT landscape.  Or because your customer and/or employees have allowed these hackers to get into devices they use to access your corporate systems and networks. Or maybe people have left their devices and systems unsecured and through social engineering, access has been gained by those who are intent on causing you harm.

2

To bring an analogy of a house, this is where the burglar finds a window left open and climbs in, or someone finds your telephone line outside and taps the connection and listens into your darkest secrets, or finds a lock that is really weak and easily manipulates the same and gains access to your home.

The second category of cyber security breach is one which is most common – internally generated. This is where people have opened connections from inside the corporate environment intentionally (to provide access to others from outside) or done this through sloppy work or non-conformance to stated policies.  In either case this access is not because the systems were not ‘hardened’ or that you did not have solid security policies, it is either through stupidity or malicious intent. This is usually harder to identify and avoid. Hence it becomes important that you have systems and monitoring tools that are able to detect such abnormalities as and when they occur.

This is akin to someone in your home intentionally or through carelessness leaving the door to your home unlocked or a window open. You might have a WiFi router with a default password (Admin) which is then accessed by someone from outside the house (from close proximity) and gaining access to data that is flowing between the devices inside the house and the internet!

The last category is one where the house is secure both from the outside and the inside BUT the appliances you have inside the house are probably tainted with ‘loopholes’ that allow access to someone with a bit of sophistication and understanding of these matters.

More and more devices are connecting to each other (through the Internet of Things - IOT).  Some examples would be WiFi Routers, Amazon Alexa, Google Home Devices, Android Operating Systems on your TV, streaming video dongles, connected refrigerators, mobile phones and more.  If they have any loophole – because of a recent operating system update or downloading a Trojan horse during an internet or social media surfing session – then it may end up tainting other devices or rendering them ‘exposed’ – and possibly under the control of Ransomware security ‘bots’.

Published in Cyber security

Read more

To read more of Metin Mitchell’s insights on leadership, leave your email here:

Categories

Elsewhere online

Popular Posts

Recent Posts

Tweets